In message <Pine.BSD.3.91.950109121342.19279d-100000@get.wired.com>, Brian Behl endorf writes: > Brian > >--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- >brian@hotwired.com brian@hyperreal.com http://www.hotwired.com/Staff/brian/ Yikes! Jinks! I asked for a reference to s-key in my p.s. Brian replies to other issues, but includes the address of his home-page. Dan wastes a little time surfing Brian's home-page, and subconsiously follows these links... http://www.hotwired.com/Staff/brian/ http://www.hotwired.com/Staff/brian/links.html http://www.ccs.neu.edu/home/thigpen/index.html http://www.ccs.neu.edu/home/thigpen/html/interests.html http://www.ccs.neu.edu/home/thigpen/html/security.html Which has a handy reference to the S/Key paper from bellcore: http://www.ccs.neu.edu/home/thigpen/docs/security_papers/ISOC.symp.ps After reading the S/Key paper, I think we should consider it in place of the simple challenge/response system. Advantages of S/Key: * passwords are _not_ stored on the server side in clear form. * user can securely use the same password at different sites * password can be changed without sending it over the net Drawbacks: * server-side passwd database is not read-only: server must update the user's count of logins each time * doesn't support the opaque="..." feature of the spyglass proposal DanReceived on Monday, 9 January 1995 14:23:38 EST
This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:13 EDT